NERC FFT Reports: Reliability Standard CIP-002-3

Alert

20 min read

 

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: WECC
  • Issue: WECC determined that a senior manager from FFT Entity did not review FFT Entity’s Risk Based Assessment Methodology (RBAM), as required, for the 2010 calendar year. This requirement was added in Version 3 of the CIP Reliability Standards.
  • Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since FFT Entity does not have any CAs or CCAs and therefore its failure to have a senior manager approve the RBAM for 2010 did not have a negative impact on the BPS. In addition, FFT Entity’s CIP senior manager had approved the CA and CCA list for calendar year 2010 and the RBAM was approved in 2009 and again in 2011.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: Texas RE
  • Issue: At a Spot Check, Texas RE found that no Senior Manager at FFT Entity had approved FFT Entity’s Critical Asset Methodology (RBAM).
  • Finding: TRE found that the issue did not pose a serious risk to the BPS. FFT Entity did not have any Critical Assets or any Critical Cyber Assets. RBAM nevertheless existed; it simply had not been signed by the Senior Manager. The Senior Manager approved the RBAM, CA and CCA within the one-year period required by the Standard.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

  • Reliability Standard: CIP-002-3
  • Requirement: R3
  • Region: Texas RE
  • Issue: During a Spot Check, Texas RE found that FFT Entity’s risk-based assessment included a CA and CCA list addressing the Standard’s requirement. The FFT Entity was unable to furnish earlier versions of said lists despite that the Standard requires annual review and assessment of CA and CCAs.
  • Finding: Because FFT Entity did not and does not have any CAs or any CCAs, this issue did not constitute a serious risk to the BPS.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

  • Reliability Standard: CIP-002-3
  • Requirement: R2
  • Region: Texas RE
  • Issue: During a Spot Check, Texas RE found that FFT Entity’s risk-based assessment included a CA and CCA list addressing the Standard’s requirement. The FFT Entity was unable to furnish earlier versions of said lists despite that the Standard requires annual review and assessment of CA and CCAs.
  • Finding: Because FFT Entity did not and does not have any CAs or any CCAs, this issue did not constitute a serious risk to the BPS.

Find, Fix and Track Entity, FERC Docket No. RC12-6 (December 30, 2011)

  • Reliability Standard: CIP-002-3
  • Requirement: R1
  • Region: Texas RE
  • Issue: Texas RE discovered via audit that FFT Entity’s Risk-Based Assessment Methodology failed to consider applicable assets of its Qualified Scheduling Entity, which was contracted to communicate with the RC and the BA.
  • Finding: The issue did not constitute a serious risk. FFT Entity had no CAs. FFT Entity’s Risk-Based Asset Methodology excluded the Qualified Scheduling Entity communications because those communications were not able to control FFT Entity’s generational assets.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: WECC
  • Issue: During an audit, WECC determined URE did not comply with R4 because it did not maintain a signed and dated list of its CCAs. URE does not have any CCAs.
  • Finding: WECC determined that the violation posed a minimal risk to BPS reliability because URE did not have any CCAs, it did have a risk-based assessment methodology and a list of CAs. URE mitigated the violation by creating a list of CCAs and had it signed by a senior manager.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: R1
  • Region: RFC
  • Issue: While conducting a compliance audit, RFC found that URE had not maintained a risk-based assessment methodology (RBAM) in accordance with CIP-002-3 R1. RFC reported that URE’s RBAM contained only one question – “Does an asset, if destroyed, degraded, compromised or otherwise rendered unavailable, adversely impact the reliability or operability of the Bulk Electrical System (BES)?” The RBAM had three levels of impact determinations, “Low,” “Medium” and “High,” with basic information on the category’s criteria, however, there was no other information on how to determine a category for an asset or how to decide if a plant loss falls into one of the categories. With such limited information, RFC found the RBAM did not provide adequate instruction to a user leaving in not effectively risk-based.
  • Finding: The issue was found to pose minimal risk to BPS reliability because even though the RBAm was not compliant with the Standard, it did have basic information and URE was found to have no assets or CAs, which URE had originally reported.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: R2, R3, R4
  • Region: RFC
  • Issue: While conducting a CIP compliance audit, RFC found that URE could not show that it had applied its RBAM on an annual basis as required. As such, URE could not show that it had a list of CAs and associated CCAs as required by R2 and R3, respectively. In addition, URE could not show that the RBAM, the CA list or the CCA list had been approved by a senior manager, as required by CIP-002-3 R4.
  • Finding: RFC found the issues to pose minimal risk to BPS reliability. URE review its RBAM and lists of CA and associated CCAs in place during the relevant time period and self-certified that it found itself to be in conformance with the requirements of the Reliability Standard. URE had no CAs or CCAs and the RBAM in place did indicate what types of assets should be included in annual reviews and confirmed that URE had no CAs or CCAs. URE’s RBAM did consider all interconnection points and the size of URE’s load.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: FRCC
  • Issue: URE submitted a self-certification reporting that its annual CA and CCA list and risk-based assessment methodology (RBAM), although completed on time, was not approved, signed and dated by a senior manager until 26 days after the due date. URE reported that the list had not changed from the previous two years.
  • Finding: FRCC determined the issue posed a minimal risk to BPS reliability because the RBAM application review was completed on time and all CAs and CCAs had been identified to NERC, however, the documentation was not signed by the senior manager, as required. And, no additional CAs or CCAs were identified.

Unidentified Registered Entities, Docket No. RC12-12 (May 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: SPP
  • Issue: Two UREs in the SPP region submitted self reports describing identical violations. In particular, neither URE had detailed lists of its CAs or CCAs that had been approved by a senior manager. Although UREs had lists generally identifying CCAs critical to operation of CAs, and those lists were approved by a senior manager, they did not contain a detailed component inventory, as required by the Standard.
  • Finding: The issue was deemed to pose minimal risk to BPS reliability because the lists submitted and approved by their respective senior manager did not contain the required level of detail, such lists did exist at both UREs.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 1.1
  • Region: SPP RE
  • Issue: While conducting a CIP audit of URE, the SPP RE audit team found that the risk-based assessment methodology (RBAM) established by URE to classify CAs did not include a complete description of the criteria used to determine whether an asset is a Critical Asset causing an issue with the requirements of the Reliability Standard.
  • Finding: The violation was deemed by SERC to pose minimal risk to BPS reliability because URE did have an RBAM in place that was documented and maintained, however, the RBAM failed to set forth what criteria was considered in determining whether or not an asset is a Critical Asset. URE’s RBAM successfully established that URE has no CAs or CCAs. URE updated its RBAM to include the required information, and no CAs were identified once the RBAM was complete.

Unidentified Registered Entity (URE), Docket No. RC12-13 (June 29, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 2
  • Region: FRCC
  • Issue: While conducting a CIP Compliance Audit, FRCC found that URE did not classify one facility as a CA despite the facility being deemed critical to the establishment of Interconnection Reliability Operating Limits (IROLS) by its Reliability Coordinator. URE’s CA list was updated and accurate approximately three months after FRCC’s finding.
  • Finding: The violation was deemed to pose minimal risk to BPS reliability because in previous years, URE reported it had no CAs, although the facility in question is actually a CA. No CIP Standards were applicable in this instance because the CAs at the relevant facility used non-routable protocol.

Unidentified Registered Entity (URE), Docket No. RC12-14 (July 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 4
  • Region: WECC
  • Issue: URE submitted a self-report disclosing non-compliance with CIP-002-3 R4 in that its annual review of its risk-based assessment methodology (RBAM) and lists of CAs and CCAs had not been approved by the senior manager responsible for CIP compliance in a timely manner. URE requires the documents to be reviewed and approved by not only its CIP compliance manager, but two other managers as well for each calendar year. Those two managers signed and approved the documents prior to the required date; however, the manager responsible for CIP compliance was on vacation and did not review and approve the documentation until 13 days after the due date.
  • Finding: The issue was deemed by WECC to pose minimal risk to BPS reliability because only the final approval of the CIP senior manager in charge of CIP compliance was missing and for only a 13-day period. In prior and subsequent years, the approval and review was timely submitted. All CAs and CCAs had been identified, reviewed and approved by the two other managers at URE.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 2
  • Region: SERC
  • Issue: During an audit, SERC found that URE failed to provide evidence of a Critical Asset list determined through its annual application of RBAM (in violation of R2). SERC reviewed documents produced by URE and found that URE had RBAMs from three prior years, which stated that URE had no Critical Assets and no Critical Cyber Assets (CCAs). SERC determined that URE could not provide evidence it developed its list of Critical Assets in a prior year.
  • Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS since URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4. In addition, URE applied three prior years’ RBAMs, resulting in null lists for Critical Assets and indicating that URE did not acquire any Critical Assets in the omitted year.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 3
  • Region: SERC
  • Issue: During an audit, SERC found that URE failed to provide evidence of an associated list of Critical Cyber Assets (CCAs) derived from its list of Critical Assets in a prior year (in compliance with R3). SERC reviewed documents produced by URE and found that URE had RBAMs from three prior years, which stated that URE had no Critical Assets and no Critical Cyber Assets (CCAs). SERC determined that URE could not provide evidence that it had developed a list of CCAs in a prior year.
  • Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS since URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4. In addition, URE applied three prior years’ RBAMs, resulting in null lists for Critical Assets and indicating that URE did not acquire any Critical Assets or CCAs in the omitted year.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 1
  • Region: WECC
  • Issue: During a compliance audit, WECC determined that FFT Entity's risk-based assessment methodology (RBAM) did not properly identify and document its Critical Assets and CCAs as the methodology did not contain a risk-based assessment component.
  • Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since FFT Entity does not have Critical Assets or CCAs. In addition, FFT Entity's prior RBAM resulted in accurate null lists of Critical Assets and CCAs.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-2-000 (November 30, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 4
  • Region: WECC
  • Issue: URE self-reported that it failed to document annual approval of its RBAM during 2010 (per R4). A WECC SME reviewed the self-report and determined that URE had documented and implemented an RBAM to use to identify its CAs, as well as developed a list of its identified CAs and associated CCAs; however, the senior manager neglected to sign and date a copy of the RBAM for 2010.
  • Finding: WECC found the issue posed a minimal risk to the reliability of the BPS since URE did not have any CAs or CCAs. In addition, URE's senior manager did sign and approve the null lists of CAs and CCAs during 2010, despite failing to sign the RBAM.

Unidentified Registered Entity ("URE"), FERC Docket No. RC13-3-000 (December 31, 2012)

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 2; 3; 4
  • Region: TRE
  • Issue: TRE conducted an audit of URE and found that URE violated R1 of CIP-002-3 in that it did not classify or document a risk-based assessment methodology (RBAM) that finds its CAs. URE had drafted a RBAM document in March, 2012, but had not approved or applied the document. URE submitted an approved RBAM to TRE, but TRE decided that the violation lasted from when URE was mandated to abide by CIP-002-3 to when the RBAM was approved and documented, totaling five weeks. URE also did not come up with a list of its CAs by applying its RBAM annually, pursuant to CIP-002-3 R2, since it did not have its RBAM. Furthermore, URE violated R3 of CIP-002-3 since without a documented RBAM, it could not document a list of CAs by using its RBAM. URE also could not document a list of associated CCAs without a list of CAs. Finally, URE violated R4 of CIP-002-3 in that its senior manager did not approve the RBAM as well as the CA and CCAs lists annually.
  • Finding: TRE found that the issue posed a minimal risk to the reliability of the bulk power system for the following reasons: (1) URE does not possess any CAs or CCAs; (2) URE's approved RBAM shows that it went through the CA criteria and found no CAs or CCAs, showing that during the five weeks of violation, URE had no CAs or CAs; (3) URE's TOP stated in documentation that it did not determine URE's assets to be critical; (4) the duration of violation was five weeks, which curtailed the risk to the BPS.

Unidentified Registered Entity 2 (URE2), Docket No. RC13-6-000 (February 28, 2013)

  • Reliability Standard: CIP-002-3
  • Requirement: 4
  • Region: TRE
  • Issue: URE2 submitted a self-report of a compliance issue with CIP-002-3 R4 because its senior manager in charge of CIP compliance had not signed off on URE2's risk-based assessment methodology (RBAM) and CA/CCA lists each year as required by its own procedures. Although previous years' RBAM and CA/CCAs lists had been reviewed and signed on time, a CIP senior manager new to the position did not sign or review the documents prior to the annual deadline.
  • Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Once the documents were reviewed, no changes were found meaning URE2 had accurate documents during the time period at issue (12 days).

Unidentified Registered Entity 1 (SERC_URE1), Docket No. RC13-9-000 (May 30, 2013)

  • Reliability Standard: CIP-002-3
  • Requirement: 2
  • Region: SERC
  • Issue: SERC_URE1 self-reported, five months after an initial Compliance Audit notice, that it lacked evidence application of risked-based assessment methodology (RBAM) to develop a list of its identified Critical Assets for one year. The RBAM must be applied annually. This was the only year that SERC_URE1 missed in application of the RBAM to develop its identified Critical Assets list.
  • Finding: SERC found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. SERC_URE1 applied the RBAM before and after the missed year. During those years it did not identify any Critical Assets. SERC_URE1 does not have any Critical Assets or any facilities that would meet CIP-002-4’s definition of Critical Assets.

Unidentified Registered Entity 1 (SERC_URE1), Docket No. RC13-9-000 (May 30, 2013)

  • Reliability Standard: CIP-002-3
  • Requirement: R4
  • Region: SERC
  • Issue: SERC, during a Compliance Audit, noted that SERC_URE1 did not approve the risk based assessment methodology (RBAM), list of Critical Assets and list of Critical Cyber Assets (CCAs) for two years. The standard requires yearly approval.
  • Finding: SERC_URE1 applied the RBAM before and after the missed years. During those years it did not identify any Critical Assets. SERC_URE1 does not have any Critical Assets or any facilities that would meet CIP-002-4’s definition of Critical Assets.

Unidentified Registered Entity 6 (NPCC_URE6), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE6 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE6 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_URE6 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor did it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_URE6 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_URE6 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.

Unidentified Registered Entity 7 (NPCC_URE7), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE7 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE7 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_URE7 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor did it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_URE7 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_URE7 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.

Unidentified Registered Entity 8 (NPCC_URE8), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE8 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE8 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_URE8 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor does it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_URE8 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_URE8 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.

Unidentified Registered Entity 9 (NPCC_URE9), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE9 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE9 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_URE9 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor did it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_URE9 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_URE9 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.

Unidentified Registered Entity 10 (NPCC_URE10), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE10 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE10 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_ URE10 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor did it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_ URE10 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_ URE10 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.

Unidentified Registered Entity 11 (NPCC_URE11), Docket No. RC13-9, May 30, 2013

  • Reliability Standard: CIP-002-3
  • Requirement: 1; 1.1; 2; 4
  • Region: NPCC
  • Issue: NPCC_URE11 self-reported issues with CIP-002-3 R1.1, R2 and R4 to NPCC when NPCC_URE11 found that its risk-based assessment methodology (RBAM) for Critical Assets had not been documented by its IT personnel and previous NERC-responsible personnel prior to 2012. As a result, NPCC_ URE11 did not develop a list of its identified Critical Assets through an annual application of the RBAM, nor did it have annual approval of the RBAM by senior management or delegate(s).
  • Finding: NPCC found that the issues posed minimal risk to the reliability of the BPS because this was a documentary issue, as NPCC_ URE11 had indeed conducted the required assessments to determine whether it had Critical Assets since it was registered, but had simply not documented its findings. NPCC_ URE11 documented RBAM upon identifying the issues, and has no Critical Assets nor does it own or operate any facilities that would meet any of the Critical Asset criteria set forth in CIP-002-3.
Top